Type/Severity

Topic

Red Hat Product Security has rated this update as having Important securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

Description

The Berkeley Internet Name Domain (BIND) is an implementation of the DomainName System (DNS) protocols. BIND includes a DNS server (named); a resolverlibrary (routines for applications to use when interfacing with DNS); andtools for verifying that the DNS server is operating correctly.

A denial of service flaw was found in the way BIND followed DNSdelegations. A remote attacker could use a specially crafted zonecontaining a large number of referrals which, when looked up and processed,would cause named to use excessive amounts of memory or crash.(CVE-2014-8500)

A flaw was found in the way BIND handled requests for TKEY DNS resourcerecords. A remote attacker could use this flaw to make named (functioningas an authoritative DNS server or a DNS resolver) exit unexpectedly with anassertion failure via a specially crafted DNS request packet.(CVE-2015-5477)

A denial of service flaw was found in the way BIND parsed certain malformedDNSSEC keys. A remote attacker could use this flaw to send a speciallycrafted DNS query (for example, a query requiring a response from a zonecontaining a deliberately malformed key) that would cause named functioningas a validating resolver to crash. (CVE-2015-5722)

A denial of service flaw was found in the way BIND processed certainrecords with malformed class attributes. A remote attacker could use thisflaw to send a query to request a cached record with a malformed classattribute that would cause named functioning as an authoritative orrecursive server to crash. (CVE-2015-8000)

Note: This issue affects authoritative servers as well as recursiveservers, however authoritative servers are at limited risk if they performauthentication when making recursive queries to resolve addresses forservers listed in NS RRSETs.

Red Hat would like to thank ISC for reporting the CVE-2015-5477,CVE-2015-5722, and CVE-2015-8000 issues. Upstream acknowledges JonathanFoote as the original reporter of CVE-2015-5477, and Hanno Böck as theoriginal reporter of CVE-2015-5722.

All bind users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing theupdate, the BIND daemon (named) will be restarted automatically.

Solution

Before applying this update, make sure all previously released erratarelevant to your system have been applied.